|
You'd have to run those commands on the print server
|
# ? Apr 23, 2021 21:59 |
|
|
# ? Apr 19, 2024 11:28 |
|
Thanks Ants posted:You'd have to run those commands on the print server D'oh. I don't have access to that (that I'm aware of). I'm out of my scope and depth on this, will leave well enough alone. I was hoping I'd get lucky that if I knew the NetworkPrinterName I could get the IP, or vice versa. Thanks for the help!
|
# ? Apr 23, 2021 22:02 |
|
Hughmoris posted:D'oh. I don't have access to that (that I'm aware of). I'm out of my scope and depth on this, will leave well enough alone. I was hoping I'd get lucky that if I knew the NetworkPrinterName I could get the IP, or vice versa. If the printers are registered in AD and the port names include the IP addresses, you might be able to eek something out. code:
|
# ? Apr 23, 2021 22:10 |
|
Internet Explorer posted:If the printers are registered in AD and the port names include the IP addresses, you might be able to eek something out. Get-ADOject is not recognized, I'm guessing because I don't have elevated privileges. Last hail mary... If I do nslookup <ipaddress> I receive server name/ip and the printer name/ip. The problem being the printer name is in a format like printer-115.domain.com . Anything useful I can take from that to walk to a friendlier printer name? Even if the name was \\serverpath\\printer_01_x.
|
# ? Apr 23, 2021 22:19 |
|
No, there's no relationship between how printers are listed in DNS and what the 'friendly' name is that the print server publishes queues as.
|
# ? Apr 23, 2021 22:23 |
|
Hughmoris posted:Get-ADOject is not recognized, I'm guessing because I don't have elevated privileges. Sounds like you don't have the module installed. Do you have local admin rights, or no? If so, you can install the RSAT tools and try again. nslookup is just looking at DNS entries. There's no given that the DNS entry matches the share name ("friendly name" as you are calling it) and I'd say most places aren't that organized.
|
# ? Apr 23, 2021 22:24 |
Get-adobject should be fine? That just reads AD and if you can load the AD module without doing some fuckery with your PS drives you should be able to use get cmds. Whether you have read access to those objects in AD can be another story. I've only seen it with printers and big loving dollar printers to mange cost.
|
|
# ? Apr 23, 2021 22:33 |
|
I don't have local admin rights, they have it locked down (understandably). To wrap this up: since I can't leave well enough alone, I started poking about a bit more. When I ran Get-Printer on my local computer on the VPN, I saw that it had a printer mapped to a network path with a $PrintServerName. I then ran Get-Printer --ComputerName "$PrinterServerName and that gave a list of printers with their "friendly" name and ports. I then did a little more sleuthing to find the other relevant print server names. A few more checks and I found my target IP and printer. At this point I'll read up on a little more PS, put together a simple script that will poll all of the print servers for their list of printers and then check to see if a given IP is in one of them and what the associated printer name is. The bigger picture is that this is a people/process problem that is outside of my responsibilites but it was a fun puzzle to solve. Thanks for the help everyone!
|
# ? Apr 24, 2021 00:52 |
|
That's pretty cool. Good job!
|
# ? Apr 24, 2021 00:54 |
|
Can anyone recommend a good KVM/iLO/whatever solution that's cheaper than 600$ but still does digital? Basically I want to be able to connect from normal workstations to multiple devices being set up (HDMI/DVI/DP + USB) So far it seems like you can either get ones with a single HDMI input for 700€ or one with 8 that needs 100€ adapters per input, making it cost 600€ for just one working input. It would actually preferable if we could do n:n connections, but 1:n would be good enough. I just can't believe no one has made a cheap generic device for this.
|
# ? Apr 28, 2021 21:00 |
|
SEKCobra posted:Can anyone recommend a good KVM/iLO/whatever solution that's cheaper than 600$ but still does digital? There are a few projects to do this with a Raspberry Pi 4 providing virtual keyboard/mouse and disk over USB-OTG and a video capture device. https://pikvm.org/ https://mtlynch.io/tinypilot/ That gets you down under $100 per machine, maybe a bit more if you want to wire up power/reset controls. Anything fancier than that is going to cost you, the market is just too limited.
|
# ? Apr 28, 2021 21:31 |
|
Old Avocent/whatever they are called gear off eBay seems to be the way to go on this, but there's an 80% chance of encountering a Java applet. Like wolrah said, it's a limited market. People just buy servers with iDRAC/iLO now because it's hundreds of times better than a KVM.
|
# ? Apr 28, 2021 22:14 |
|
Well our use case is actually having a "setup table" for computers/servers etc. that we are deploying for the first time. It's a major hassle right now because we are running out of space and we only have like one or two setup seats that you have to constantly walk to and from before the OS is setup far enough for remote control. This should probably be less of an issue for clients at some point in the future when we get our new (fully automated) deployment solution, but servers are still extremly manual labor for us. I just want to plonk down new hardware, connect three cables and then do the rest from my workstation. If there really is nothing cheaper, I'll just have to get busy arguing for a 8 connector ATEN unit.
|
# ? Apr 28, 2021 23:15 |
|
If you only need local control (as in, the next room) then can you can get KVM extenders that bring the USB and video to your workstation. It sounds like you don't need the switching part or the network control which is what makes the KVM expensive. Or even go really cheap and just extend the HDMI cable, and use a wireless keyboard/mouse and plug the receiver into the server you're building.
|
# ? Apr 28, 2021 23:29 |
|
No, I do need the remote control, as I have several people that need to access the attached devices. Not Necessarily simultaneously, but definitely regularly.
|
# ? Apr 29, 2021 05:47 |
|
How do you store bitlocker keys in AD on current versions of Windows 10?code:
Note: Trusted Platform Module (TPM) initialization might occur during BitLocker setup. Enable the "Turn on TPM backup to Active Directory Domain Services" policy setting in System\Trusted Platform Module Services to ensure that TPM information is also backed up. But as far as I can tell I have the other GPO settings right for Fixed Data Drives and OS Drives It worked on one of my test PC's but not the other (storing the keys in AD), automatically when bitlocker was turned on and the drive was encrypted.
|
# ? May 4, 2021 15:57 |
|
Does anyone know why RDS sometimes leaves ghost menus or splash screens, etc? The SSMS context menu shows above everything and the only way to fix is to disconnect the RDS session. Is there some GPO setting I can change to cut this poo poo out? It happens for any application, multiple users, and all Windows 10.
|
# ? May 27, 2021 21:15 |
|
I'm currently working in an AD environment where everyone's passwords are set to never expire and very lax password complexity requirements, and they've been this way for several years. I want to roll out a GPO to force better password complexity and maximum password age and also turn off the never expire flag on all users. If I do this, will it immediate invalidate everyone's passwords considering they'd be over the maximum allowed age? I need to ensure this is a smooth rollout especially with 90% of users working from home. Should I instead roll out communication prior to the GPO to tell users to change their passwords or this will happen?
|
# ? Jun 22, 2021 14:11 |
|
Use Fine Grained Password Policy and add people to the group you apply it to over time. This will also mean that if you choose to have a password expiry, they don't all hit at the same time further down the road. I do feel obligated to say that expiring passwords on a set interval is against NIST guidelines. It's better to do stuff like monitor for bad passwords and other newer approaches. Also make sure you understand what happens when a user's password actually expires. How do they change it, does the VPN stop allowing logins when the password expires, etc.
|
# ? Jun 22, 2021 14:21 |
|
Yeah I wouldn't set the users passwords to expire. Force complexity yes, but password expiration encourages bad more-guessable passwords. E: Focus on 2FA instead of expiration
|
# ? Jun 22, 2021 16:50 |
|
Even if it was like a one year expiration rather than the 90 days?
|
# ? Jun 23, 2021 01:31 |
|
kiwid posted:Even if it was like a one year expiration rather than the 90 days? Expiration, like a jacket, is no longer required.
|
# ? Jun 23, 2021 02:00 |
|
We just went to 15-character minimum, no special character, 1-year expiration on generic accounts. Like all the labs use on the instrument stations. I foresee a steady increase in sticky note and label printer usage over the next few years. And yes, we have been featured in a photo essay at DEFCON.
|
# ? Jun 23, 2021 02:44 |
|
All our generic accounts went to PINs. Works well.
|
# ? Jun 23, 2021 04:54 |
|
Password expiration is unfortunately going to take a long time to die from the number of people still married to a government recommendation from the 90's about as accurate as the contemporary food pyramid instead of the government recommendation of today and many, many major companies and organizations. Resistance to MFA is also a big factor, both from the user perspective of them hating anything even slightly inconvenient, especially suits, and the IT perspective of either being stretched too thin to take on the project of setting it up, or just not wanting to make the effort to implement.
|
# ? Jun 23, 2021 16:27 |
|
I noticed a new firmware update was on HPs website for my PC (ProDesk something), decided to wait to see how long it takes Windows Update to provide it. Took about three weeks which is reasonable, appeared as an additional update in Windows Update, suspended BitLocker as it should during the update, and did actually apply it. A few reboots with the warnings not to power off (this bit’s on HP rather than Microsoft) but it was very smooth. 10/10 would service UEFI through Windows Update again.
|
# ? Jun 23, 2021 22:47 |
|
We've been implementing 2FA at a lot of our customers due to insurance requirements, so that's a good thing. What I've found amusing about the whole thing is that our HD folks are extremely resistant/butthurt about having to deal with 2FA when logging into an admin account on a server. Like, yeah it's a couple extra seconds, but no, it's not going away no matter how much you whine. I really wish there would good 2FA solutions for MSPs though, we've setup a VM in azure with VOIP apps/auth apps installed, but it's clunky.
|
# ? Jun 23, 2021 22:47 |
|
Thanks Ants posted:I noticed a new firmware update was on HPs website for my PC (ProDesk something), decided to wait to see how long it takes Windows Update to provide it. Took about three weeks which is reasonable, appeared as an additional update in Windows Update, suspended BitLocker as it should during the update, and did actually apply it. Yeah, this was a great part about moving everyone to WuFB. The only downside to drivers/firmware/UEFI from WuFB was that it didn't follow your normal update rings, it just goes out when Microsoft pushes it, which is kind of unfortunate for a lot of reasons, not the least of all that those are the types of updates you really want to test.
|
# ? Jun 23, 2021 23:09 |
|
MF_James posted:We've been implementing 2FA at a lot of our customers due to insurance requirements, so that's a good thing. Aware this is a completely idealistic scenario, but we are moving to only buying things that have a central portal where all customers can be managed, and that portal needs to support SAML or at least Microsoft OAuth. Doesn't matter how good the product is, if we need to share credentials you're losing the sale.
|
# ? Jun 24, 2021 11:09 |
|
kiwid posted:Does anyone know why RDS sometimes leaves ghost menus or splash screens, etc? Maybe change the RemoteFX settings, not sure if you can tune these from your RDP client, but you can for sure change them via GPO and registry.
|
# ? Jun 26, 2021 11:27 |
|
I have a client with 5 or so laptops. They're all encrypted with BitLocker. Every few months, a Windows Update comes along and basically bricks the laptops (although not all at once); they BSOD with Inaccessible Boot Device. The only way I've found to fix them is to decrypt the laptop via the command prompt in recovery mode. This is incredibly tedious, and it is very hard to do remotely as so many of the steps are outside of Windows. I either need to visit site, collect the laptop, or explain commands over the phone. I can find very little on Google about this. Weirdly, I have other clients with encrypted devices who run without problem! It's truly bizarre. Has anyne got any thoughts on this? This morning's headache is that we left bitlocker off on one device as part of testing. I got a call that the same problem had occured, which shocked me as there was meant to be no encryption. Turns out, Bitlocker has enabled itself again, but of course the recovery key wasn't saved! No way back into the device at all. gently caress bitlocker.
|
# ? Jul 15, 2021 09:00 |
|
Are you getting UEFI updates pushed out via Windows Update? Or are you running an OEM-specific updater? BitLocker is meant to be suspended before firmware updates are done and then re-enabled afterwards to avoid this problem. Are you tracking UEFI versions anywhere that would correlate with issues coming about?
|
# ? Jul 15, 2021 16:05 |
|
I've seen not-dissimilar symptoms due to a bug in the TPM2.0 firmware on my personal Dell laptop. There was a specific update I had to download and apply from Dell that wasn't part of the normal patching update checker. If all the laptops are the same make/model/vintage, I'd definitely hit that on one of them.
|
# ? Jul 16, 2021 14:27 |
|
Bob Morales posted:How do you store bitlocker keys in AD on current versions of Windows 10? To get AD key storage working in my environment I had to enable it at the ‘BitLocker Drive Encryption’ and ‘BitLocker Drive Encryption\Operating System Drives’ levels in the GPO.
|
# ? Jul 18, 2021 15:46 |
|
Thanks Ants posted:Are you getting UEFI updates pushed out via Windows Update? Or are you running an OEM-specific updater? BitLocker is meant to be suspended before firmware updates are done and then re-enabled afterwards to avoid this problem. Are you tracking UEFI versions anywhere that would correlate with issues coming about? There are firmware updates being done, but not frequently enough to relate to this issue. I think something else is going on here, but I'm doing a trial with VeraCrypt to see if that makes a difference,
|
# ? Jul 19, 2021 09:28 |
|
Fruit Smoothies posted:I have a client with 5 or so laptops. They're all encrypted with BitLocker. Every few months, a Windows Update comes along and basically bricks the laptops (although not all at once); they BSOD with Inaccessible Boot Device. The only way I've found to fix them is to decrypt the laptop via the command prompt in recovery mode. It sounds like Windows Update isn't able to gracefully suspend BitLocker, but is proceeding with the update which then pisses off the TPM's integrity check and results in the 'Inaccessible Boot Device' BSOD. There are a couple of ways to deal with this but how you go about it depends on the capabilities of the client's network infrastructure. For a small client your best bet would be to schedule Windows Updates and push a pre-update script which suspends BitLocker temporarily, runs the update(s), and then a post script which re-enables BitLocker. When you say 'decrypt' are you going through a full decrypt cycle or just unlocking the volume, running chkdsk and then rebooting it? You should only have to do the latter to clear the BSOD error.
|
# ? Jul 19, 2021 10:30 |
|
I don't know if this is sort of too narrow for this thread, but I'm setting up an SCCM application with a requirement that Chrome be present on the targets, so I set it up via Global Condition. However, the basic Global conditions only allow for checking a single file, and we've got an environment where Chrome could be in the x86 or regular Program Files directories. I have the choice whether to set up a single Global Condition with a short PowerShell script to check both places, or to set up 3 standard conditions, 1 for each location and 1 that checks the existential presence of the other two. I feel like the latter is easier to follow for less-technical folks following and is the least likely to ever encounter an issue later on if things change, but the former doesn't clutter up the console with 3 conditions for 1 app. Is there a Best Practice for this sort of thing? Does one make more logical sense than the other?
|
# ? Jul 20, 2021 13:21 |
It may also exist in app data. You could see if it has an uninstall reg key and if not install whatever is appropriate for the machine.
|
|
# ? Jul 20, 2021 13:34 |
|
Submarine Sandpaper posted:It may also exist in app data. Do you mean ProgramData? We certainly wouldn't support a user installing it in their profile folder. But, also, we just care if it's present, we're not installing Chrome if it's not there.
|
# ? Jul 20, 2021 13:54 |
|
|
# ? Apr 19, 2024 11:28 |
No, for a spell chrome would install itself in app data if it was ran without admin privileges. Dunno if it still works
|
|
# ? Jul 20, 2021 16:55 |